Add option to do full logout

psignoret · psignoret · commit 404c3cd5b056 · 2018-04-06T21:19:54.000+02:00
Adds a new option to perform a full logout of Azure AD when logging out of WordPress. Fixes #163 and fixes #184.
diff --git a/Settings.php b/Settings.php
@@ -104,6 +104,13 @@ class AADSSO_Settings {
 	 */
 	public $default_wp_role = null;
 
+	/**
+	* Indicates whether a logout of WordPress should also trigger a logout of Azure AD.
+	*
+	* @var boolean Whether or not logging out of WordPress triggers logging out of Azure AD.
+	*/
+	public $enable_full_logout = false;
+
 	/**
 	 * @var string The OpenID Connect configuration discovery endpoint.
 	 */
diff --git a/SettingsPage.php b/SettingsPage.php
@@ -248,6 +248,14 @@ public function register_settings() {
 			'aadsso_settings_page', // page
 			'aadsso_settings_general' // section
 		);
+		
+		add_settings_field(
+			'enable_full_logout', // id
+			__( 'Enable full logout', 'aad-sso-wordpress' ), // title
+			array( $this, 'enable_full_logout_callback' ), // callback
+			'aadsso_settings_page', // page
+			'aadsso_settings_general' // section
+		);
 
 		add_settings_field(
 			'field_to_match_to_upn', // id
@@ -374,6 +382,7 @@ public function sanitize_settings( $input ) {
 			'enable_auto_forward_to_aad',
 			'enable_aad_group_to_wp_role',
 			'match_on_upn_alias',
+			'enable_full_logout',
 		);
 		foreach ( $boolean_settings as $boolean_setting )
 		{
@@ -646,6 +655,17 @@ public function openid_configuration_endpoint_callback() {
 		);
 	}
 
+	/**
+	 * Renders the `enable_full_logout` checkbox control.
+	 */
+	public function enable_full_logout_callback() {
+		$this->render_checkbox_field(
+			'enable_full_logout',
+			__( 'Do a full logout of Azure AD when logging out of WordPress.',
+				'aad-sso-wordpress' )
+		);
+	}
+
 	/**
 	 * Renders a simple text field and populates it with the setting value.
 	 *
diff --git a/aad-sso-wordpress.php b/aad-sso-wordpress.php
@@ -5,7 +5,7 @@
 Plugin URI: http://github.com/psignoret/aad-sso-wordpress
 Description: Allows you to use your organization's Azure Active Directory user accounts to log in to WordPress. If your organization is using Office 365, your user accounts are already in Azure Active Directory. This plugin uses OAuth 2.0 to authenticate users, and the Azure Active Directory Graph to get group membership and other details.
 Author: Philippe Signoret
-Version: 0.6.3
+Version: 0.6.4
 Author URI: https://www.psignoret.com/
 Text Domain: aad-sso-wordpress
 Domain Path: /languages/
@@ -83,7 +83,7 @@ public function __construct( $settings ) {
 		add_action( 'login_form', array( $this, 'print_login_link' ) ) ;
 
 		// Clear session variables when logging out
-		add_action( 'wp_logout', array( $this, 'clear_session' ) );
+		add_action( 'wp_logout', array( $this, 'logout' ) );
 
 		// If configured, bypass the login form and redirect straight to AAD
 		add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 );
@@ -348,6 +348,10 @@ function authenticate( $user, $username, $password ) {
 			);
 		}
 
+		if ( is_a( $user, 'WP_User' ) ) {
+			$_SESSION['aadsso_signed_in_with_azuread'] = true;
+		}
+
 		return $user;
 	}
 
@@ -563,6 +567,21 @@ function clear_session() {
 		session_destroy();
 	}
 
+	/**
+	 * Clears the current the session, and triggers a full Azure AD logout if needed.
+	 */
+	function logout() {
+
+		$signed_in_with_azuread = isset( $_SESSION['aadsso_signed_in_with_azuread'] ) 
+									&& true === $_SESSION['aadsso_signed_in_with_azuread'];
+		$this->clear_session();
+
+		if ( $signed_in_with_azuread && $this->settings->enable_full_logout ) {
+			wp_redirect( $this->get_logout_url() );
+			die();
+		}
+	}
+
 	/*** Settings ***/
 
 	/**
